Create a serverless schedule for Microsoft Certificate Authority (CA) discovery

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:6分

    • Create a serverless discovery schedule to discover Microsoft Certificate Authority (CA) certificates.

    始める前に

    • Verify that the CA process is up and running on the host machine.
    • Verify that a Windows host was discovered during a previous horizontal discovery. For more information, see Windows discovery.

    Role required: discovery_admin

    手順

    1. Navigate to All > Discovery > Discovery Schedules.
    2. Create the discovery schedule record.
      1. Select New.
      2. On the form, fill in the fields.
        表 : 1. Discovery Schedule New record form
        Field Description
        Name Unique name for this discovery schedule.

        For example: Discover MS CA.
        Discover Scan type, which should be Certificates.
        Certificate Discovery Type Certificate type, which should be CA Trust Discovery.
        MID server Name of the MID Server to use for this schedule.
        Active Enables this schedule for discovery.
      3. Select Submit.
    3. Create the execution pattern.
      1. In the Discovery Schedules page, select the record you created.
      2. In the Serverless Execution Patterns tab, select New.

        Discovery uses each execution pattern to discover up to 20,000 certificates. For deployments using more than 20,000 certificates, create several execution patterns.

      3. On the form, fill in the fields.
        表 : 2. Serverless Execution Pattern New record form
        Field Description
        Name Descriptive name for this record.

        For example: Discover MS CA.
        Pattern Pattern to be used for this schedule, which should be the Microsoft CA - Certificate Management pattern.
        Proxy Host CI name of the Windows host running the Microsoft CA Service, discovered in a previous discovery and populated in the CMDB.
        Active Option to enable this schedule for discovery.
      4. Select Submit.
    4. Set the pattern launcher parameters.
      1. In the Discovery Pattern Launcher Parameters tab, select the record you created.
      2. On the form, fill in the fields.
        Parameter Description
        template_list Determines whether to search on all the request IDs or a template ID to discover certificates.
        • all: Restricts discovery to all certificate request IDs in ascending order either based on the default execution pattern limitation of 20,000 or values set in start_offset or limit.
        • Template ID: Searches for certificates only in the specific template ID.
        start_offset This optional parameter specifies the number of the certificate from which to start discovery and is relevant only when template_list is set to all and for deployments with over 20,000 certificates.

        If you create multiple serverless execution patterns for deployments with over 20,000 certificates, use 1 for the first execution, 20001 for the second, and so on.

        If this parameter remains empty, start_offset defaults to 1.
        limit This optional parameter limits the certificate discovery to the specified value and is relevant only when template_list is set to all.

        If the parameter remains empty, the limit defaults to 20,000 certificates.
        ip IP of the server on which the CA process (certsrv) is running.
        discover_SAN_for_template When set to true, this optional parameter enables the discovery of the subject alternative name (SAN) of the certificates when a template ID is provided in the template_list parameter.

        This parameter executes separate commands for each certificate within the template ID, which could impact performance.

        When searching on all request IDs, SAN is automatically discovered, so this parameter should remain empty.
      3. Select Submit.

    次のタスク

    Either execute discovery immediately by selecting Discover now or wait until the predefined schedule triggers the discovery.